# HTTP -> HTTPS 重定向 server { listen 80; server_name notify.example.com; # 替换为你的域名 # Let's Encrypt 证书验证 location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # HTTPS 主配置 server { listen 443 ssl http2; server_name notify.example.com; # 替换为你的域名 # SSL 证书配置(Let's Encrypt) ssl_certificate /etc/letsencrypt/live/notify.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/notify.example.com/privkey.pem; # SSL 安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; # 安全头 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # 请求体大小限制(用于文件上传) client_max_body_size 10M; # API 请求代理到 backend (4000) location /api/ { proxy_pass http://127.0.0.1:4000/api/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket 支持(如果需要) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # 上传文件代理到 backend location /uploads/ { proxy_pass http://127.0.0.1:4000/uploads/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 缓存静态文件 proxy_cache_valid 200 1d; expires 1d; } # 其他请求代理到 frontend (3000) location / { proxy_pass http://127.0.0.1:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Next.js HMR 支持(开发环境) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }